svn commit: r280971 - in head: contrib/ipfilter/tools share/man/man4 sys/contrib/ipfilter/netinet sys/netinet sys/netipsec sys/netpfil/pf
Hans Petter Selasky
hps at selasky.org
Thu Apr 2 20:54:14 UTC 2015
On 04/02/15 22:26, Hans Petter Selasky wrote:
> On 04/02/15 20:46, Robert Watson wrote:
>> On Thu, 2 Apr 2015, Hans Petter Selasky wrote:
>>
>>>>> Does somebody here know what happens in these two cases:
>>>>>
>>>>> If we are transmitting using TSO, will the network adapter increment
>>>>> the IP ID field somehow? What happens if an outgoing IP packet
>>>>> resulting from a TSO packet get fragmented by a router?
>>>>
>>>> Quite possibly -- this is presumably specified by the NIC vendor, but
>>>> it would be good to do a bit of a survey and see what happens in
>>>> practice.
>>>>
>>>>> In ip_fragment() when we create fragments we should increment the
>>>>> ip_id value for each fragment?
>>>
>>> I'm asking because the code in FreeBSD, since the beginning probably,
>>> just copies the IP header, and use the same IP ID for all the
>>> fragments ! This just hit my mind after some recent work in this area.
>>
>> I honestly cannot believe you are proposing that.
>>
>> Please go read about how IP fragmentation works. Having an identical IP
>> ID in ip_fragment() is the point of the function!
>>
>
> Hi,
>
> rwatson: You're right, the more fragment flag gets set there, I
> overlooked that bit. Sorry.
>
> glebius: Given that you admit there is a small chance of an IP ID
> collision in the previous e-mails exchanged in this thread, why don't we
> have checks for that in ip_reass() when receiving fragmented IP packets?
> For example when ip->ip_off == 0 we know the TCP and/or UDP port numbers
> for TCP and UDP payloads and can check if a new fragment is starting
> before the previous one is completed. Then we would know if a collision
> has happened and could discard that packet. Not ideal, but better than
> data corruption.
>
Hi,
I see from the code that if two frags have the same IP offset, the whole
fragment list gets dropped, unless the IP payload is zero bytes long.
Maybe a "last" variable should be added?
> * only n will ever be stored. (n = maxfragsperpacket.)
> *
> */
> next = 0;
last = -1;
> for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt) {
> if (ntohs(GETIP(q)->ip_off) != next ||
+ ntohs(GETIP(q)->ip_off) == last
> ) {
> if (fp->ipq_nfrags > V_maxfragsperpacket) {
> IPSTAT_ADD(ips_fragdropped, fp->ipq_nfrags);
> ip_freef(head, fp);
> }
> goto done;
> }
last = next;
> next += ntohs(GETIP(q)->ip_len);
> }
--HPS
More information about the svn-src-head
mailing list